The invention relates to internet security and more particularly to software which provides, to a dial gateway, filtered router, or firewall, the ability to return a customizable text message or web page to a client user when an access violation occurs.
Currently most security on the Internet, as well as along intranets, is provided by filtered routers or firewalls. These devices generally maintain a list of destinations with which a user is authorized to communicate, compare the addresses of user-generated packets to the addresses of the destinations of the list, and limit packets sent by the user based on the IP address and/or port to which the packets are addressed. If the user tries to access an IP address for which the user does not have authorization, the firewall or router typically either silently discards the packet or returns an ICMP xe2x80x9chost unreachablexe2x80x9d message to the client.
One problem is that many TCP stacks, including Microsoft win95*, winNT*, etc., do not look for the xe2x80x9chost unreachablexe2x80x9d message, and/or do not communicate the error messages to the user. In the best case scenario, where the stack does relay the message, it typically is a cryptic message which simply states that the host is unreachable. It does not give the user a reason why the host is unreachable. Since reasons why a xe2x80x9chost unreachablexe2x80x9d message may be generated include not only that the user is not authorized to access the host, but also that the host is down, or that there is not a route to the desired host, the user will not know whether to make another attempt at establishing the communication. In the case where the unreachable message is not processed properly, or where the router silently discards the offending packet, the user/client is forced to wait until the application times out, or until the client computer kills the application.
Another instance in which user-intended messages may be undeliverable, or undelivered, is when a user is conducting Internet searching on a xe2x80x9cpay as you goxe2x80x9d basis, wherein the user prepays an amount for a subscription representing a fixed amount of search time or a fixed number of search requests. When the user has exhausted his or her prepaid allotment, it is desirable that the user be informed, so that he or she may take immediate steps to resubscribe, without having to lose the benefit of their current search (i.e., without having to exit, resubscribe, and then search from the starting point, again).
What is desirable, therefore, and what is an object of the present invention, is to provide a system and method for appropriately directing network access messages for display to users.
Another object of the invention is to provide a user with instant knowledge when they have tried to access an improper host, with no need for waiting several minutes for the application to time out.
Yet another objective of the invention is to provide a returned message which can be customized to display helpful information, such as xe2x80x9cYou do not have access to host x.x.x.x. Please call Customer Support at 111-1111-1111 to have you access updatedxe2x80x9d.
Still another objective of the invention is to facilitate implementation of a xe2x80x98pay as you goxe2x80x99 Internet service, wherein, when the user""s time has expired, the user is redirected to a web page that allows the user to buy more Internet time and to continue surfing.
These and other objects are realized by the present invention wherein packets are intercepted and a message returned to the user is redirected to a web page explaining why the user cannot access the host. This is currently implemented in TCP to redirect access violations from web browsers to hosts in the user""s access list, which then display a message indicating why the user cannot access the desired host. This same model can also be used in support of the FTP and Telnet protocols.